Abstract
Modelling and management of the security risks from the early stages of information systems development could help to envision early security threats, their consequences and potential countermeasures. However, the security modelling languages could bring benefit only if they are correctly applied and the stakeholders comprehend models and agree about their meaning. In this paper we analyse how humans comprehend the security risk-oriented/aware modelling (SRM) languages and models. Specifically, by applying the semiotic quality framework, we investigate (i) concepts of the security risk management, and (ii) participant and modeller appropriateness regarding the SRM languages. Our results indicate the best and worst perceived SRM constructs and highlight few challenges to improve the SRM languages.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Altuhhova, O., Matulevičius, R., Ahmed, N.: An Extension of Business Process Model and Notation for Security Risk Management. Accepted at the International Journal of Information System Modelling and Design (2013)
Bresciani, B., Perini, A., Giorgini, P., Fausto, G., Mylopoulos, J.: TROPOS: An Agent oriented Software Development Methodology. Journal of Autonomous Agents and Multi-Agent Systems 25, 203–236 (2004)
Dubois, E., Heymans, P., Mayer, N., Matulevičius, R.: A Systematic Approach to Define the Domain of Information System Security Risk Management. In: Nurcan, S., Salinesi, C., Souveyet, C. (eds.) Intentional Perspectives on Information Systems Engineering, pp. 289–306. Springer, Heidelberg (2010)
Firesmith, D.G.: Engineering Safety and Security Related Requirements for Software Intensive Systems. In: ICSE 2007 Tutorial (2007)
Jurjens, J.: Secure Systems Development with UML. Springer, Heidelberg (2005)
Elahi, G., Yu, E.: A Goal Oriented Approach for Modeling and Analyzing Security Trade-Offs. In: Parent, C., Schewe, K.-D., Storey, V.C., Thalheim, B. (eds.) ER 2007. LNCS, vol. 4801, pp. 375–390. Springer, Heidelberg (2007)
Krogstie, J.: Model-Based Development and Evolution of Information Systems - A Quality Approach. Springer (2012)
Matulevičius, R.: Comparing Modelling Languages for Information Systems Security Risk Management. In: Seyff, N., Koziolek, A. (eds.) Modelling and Quality in Requirements Engineering: Essays Dedicated to Martin Glinz on the Occasion of His 60th Birthday, pp. 207–220. Monsenstein and Vannerdat, Münster (2012)
Matulevičius, R., Mouratidis, H., Mayer, N., Dubois, E., Heymans, P.: Syntactic and Semantic Extensions to Secure Tropos to Support Security Risk Management. Journal of Universal Computer Science 18(6), 816–844 (2012)
Mayer, N.: Model-based Management of Information System Security Risk. Ph.D. thesis, University of Namur (2009)
Moody, D.L.: The “Physics” of Notations: Towards a scientific basis for Constructing Visual Notations in Software Engineering. IEEE Trans. Eng. 35, 756–779 (2009)
Mouratidis, H., Giorgini, P.: Secure Tropos: A Security-oriented Extension of the Tropos Methodology. International Journal of Software Engineering and Knowledge Engineering 17(2), 285–309 (2007)
Røstad, L.: An Extended Misuse Case Notation: Including Vulnerabilities and The Insider Threat. In: Proceedings of the REFSQ (2006)
Silver B.: BPMN Method and Style: A Levels-based Methodology for BPMN Process Modeling and Improvement using BPMN 2.0. Cody-Cassidy Press (2009)
Sindre, G.: Mal-Activity Diagrams for Capturing Attacks on Business Processes. In: Sawyer, P., Heymans, P. (eds.) REFSQ 2007. LNCS, vol. 4542, pp. 355–366. Springer, Heidelberg (2007)
Sindre, G., Opdahl, A.L.: Eliciting Security Requirements with Misuse Cases. Requirements Engineering Journal 10(1), 34–44 (2005)
Soomro, I., Ahmed, N.: Towards Security Risk-orineted Misuse Cases. In: La Rosa, M., Soffer, P. (eds.) BPM Workshops 2012. LNBIP, vol. 132, pp. 689–700. Springer, Heidelberg (2013)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Matulevičius, R. (2014). Model Comprehension and Stakeholder Appropriateness of Security Risk-Oriented Modelling Languages. In: Bider, I., et al. Enterprise, Business-Process and Information Systems Modeling. BPMDS EMMSAD 2014 2014. Lecture Notes in Business Information Processing, vol 175. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-43745-2_23
Download citation
DOI: https://doi.org/10.1007/978-3-662-43745-2_23
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-43744-5
Online ISBN: 978-3-662-43745-2
eBook Packages: Computer ScienceComputer Science (R0)